What Canada’s Bill C-22 would change#
Canada’s Bill C-22, branded as the Lawful Access Act, has revived a fight that privacy groups thought had already damaged the government’s earlier proposal beyond repair.
The Electronic Frontier Foundation argues that C-22 is a revised version of Bill C-2, a prior “border security” bill that drew heavy backlash from the privacy community and did not make it to committee. The new bill makes some changes, according to EFF, but keeps the same core structure: broader data retention, wider information sharing, and new powers to compel technical access to digital services.
The central concern is not one clause in isolation. It is the combined effect. If passed as described by EFF, the bill could require digital services — potentially including telecom providers, messaging apps, and other platforms — to record and retain certain information for a full year. It would also expand information sharing with foreign governments, including the United States.
EFF’s warning focuses heavily on metadata. Metadata is often described as “data about data,” but that phrase hides its value. It can show who someone communicates with, when they communicate, where they go, and how patterns change over time. A stored message may be sensitive. A year of communications metadata can be a map.
That map becomes more valuable when more companies are required to keep more of it. It also becomes a larger target. Retention mandates do not just help investigators after the fact. They create databases that attackers, insiders, and other governments may want to reach.
The backdoor problem is in the definitions#
The most serious part of EFF’s critique concerns access mandates. The group says Bill C-22 would let Canada’s Minister of Public Safety demand that companies create mechanisms to provide law enforcement access to data, so long as those mandates do not introduce a “systemic vulnerability.”
That phrase sounds like a safeguard. The problem is whether it can work.
EFF argues that the bill’s definitions of “systemic vulnerability” and “encryption” are not clear enough. That ambiguity matters. If a law says companies cannot be ordered to create a systemic vulnerability, but leaves enough room to define targeted access as something else, the protection may be weak in practice.
The risk is especially sharp for encrypted services. End-to-end encryption is designed so that only the communicating users can read the content. A provider cannot quietly turn over message contents because the provider does not hold the keys in a usable form. To create exceptional access, the system has to change.
Canadian officials, according to EFF, have suggested that surveillance can be added without creating systemic vulnerabilities. EFF rejects that premise. Its position is direct: surveillance access into encrypted communications is itself a systemic vulnerability.
That is not just a philosophical dispute. A system built to let one authorized party bypass normal encryption protections can become a system that others try to exploit. The intended user may be law enforcement. The actual user, over time, may be someone else.
The bill also reportedly bans companies from publicly revealing the existence of these orders. Secrecy may be normal in some investigations. But standing secrecy around technical access demands creates a separate accountability problem. Users cannot evaluate the security posture of a service if the most important changes are hidden. Security researchers and civil society groups cannot test public claims if the orders themselves cannot be acknowledged.
Why this matters beyond Canada#
This is a Canadian bill, but the pressure pattern is familiar.
EFF compares the issue to the United Kingdom’s reported demand last year that Apple create access affecting its optional Advanced Data Protection feature. Apple did not comply in the way the government wanted. Instead, it withdrew that feature for UK users. The result, as EFF notes, is that UK users still lack access to a stronger iCloud protection available elsewhere.
That example matters because it shows one likely outcome of lawful-access mandates. Governments may say they want targeted access. Companies may respond by removing privacy features, limiting product availability, or changing architecture in ways that affect ordinary users who are not suspected of any crime.
EFF also notes that Meta and Apple have expressed concern about Bill C-22 and opposed the bill. The source material also refers to concern from U.S. House Judiciary and Foreign Affairs committees sent to Canada’s Minister of Public Safety around backdoors into encrypted systems. The available source text does not provide the full letter, legal detail, or exact procedural status beyond EFF’s description, so those points should be treated as reported concerns rather than settled outcomes.
The broader issue is cross-border data access. Canada is not building policy in a vacuum. Data moves through cloud systems, telecom networks, app platforms, and operating systems that serve users in many countries. A technical access rule in one jurisdiction can affect product design globally, or force companies to maintain weaker regional variants.
That is why definitions in this bill matter. If the scope can include apps and operating systems, not just traditional telecom infrastructure, the effect could reach far into the software stack. A lawful-access power aimed at service providers can become a pressure point on device makers, messaging platforms, cloud services, and application ecosystems.
Data retention creates its own attack surface#
The argument for retention is usually simple: investigators may need records later. The security cost is also simple: records kept for later can be stolen later.
EFF points to a 2024 incident in which attackers took advantage of a system built by internet service providers to give law enforcement access to user data. The source excerpt does not name the incident in the provided material, but the lesson is clear enough. Lawful-access infrastructure is infrastructure. It has users, interfaces, credentials, logs, operational mistakes, and incentives for attackers.
A government mandate can normalize collection. It cannot make collected data harmless.
This is especially true for metadata. Because metadata is often treated as less sensitive than content, it can receive weaker political protection while remaining highly revealing in practice. Location patterns, communication frequency, call records, login events, and contact graphs can expose relationships, routines, medical visits, political activity, religious practice, and work sources.
For ordinary users, the harm is not limited to being personally investigated. The harm includes being swept into larger retained datasets, losing access to stronger encryption features, or using services whose security model was altered by secret order.
For companies, the bill would create operational and legal pressure. They may have to retain more information than they would otherwise keep. They may have to design compliance systems. They may have to respond to secret technical demands. Each new obligation adds cost. Each new stored dataset adds risk.
What not to overclaim yet#
The source is an advocacy analysis from EFF, not a neutral legislative digest. That does not make it irrelevant. EFF has a long track record on encryption and surveillance law. But readers should separate the claims.
What is clear from the source: EFF believes Bill C-22 keeps the major privacy problems from the earlier Bill C-2; it says the bill expands retention and information sharing; it warns that the bill could enable backdoors or encryption circumvention through unclear definitions and ministerial orders.
What should not be overstated from the provided material: the final legal interpretation of each clause, the bill’s exact parliamentary fate, the full scope of all affected services, and whether any specific company would be ordered to implement a specific technical change. Those questions require the bill text, committee record, amendments, and legal analysis beyond the excerpt.
Still, the warning is practical. Laws that compel access rarely stay abstract. They become product decisions, compliance systems, retained logs, changed encryption defaults, and risk shifted onto users.
What readers can check next#
For Canadian users, the first step is to track the bill text and any amendments, not just the political framing around “border security” or “lawful access.” The operative details are in definitions, order powers, secrecy rules, retention periods, and which classes of services are covered.
For people choosing tools, the takeaway is also concrete: prefer services that minimize metadata, publish transparency reports, support strong end-to-end encryption, and explain how they respond to government demands. No service can remove all legal risk. But architecture matters. A provider that cannot access message content is in a different position from one that can.
For policymakers, the hard question is whether a surveillance power can be built without weakening the system it touches. EFF’s answer is no, at least where encrypted communications are concerned. If a bill depends on the opposite assumption, it needs unusually clear definitions, public accountability, and technical scrutiny before it becomes law.
Bill C-22 is not just a privacy bill by another name. It is a test of whether Canada will require more data to be stored, more access paths to be built, and more security decisions to be hidden from the people who depend on them.